>> Hi, everyone. Welcome to the
Azure Security Expert Series. I'm Ann Johnson, and I lead Microsoft's Cybersecurity
Solutions Group. As part of my job, I'm able to meet security teams
from virtually every industry doing amazing work to protect their
organizations. Today, we're launching the Azure
Security Expert Series because your work is
business-critical. We want to do everything we can
to equip and empower every security team out there
with the latest security information
for Azure, including tools and best
practices. We also want to make this
content accesible to anyone
online. Now I've been around the
security industry for about 20
years. I have to say though, I'm amazed at how quickly cyber crime has evolved in just
the past few years. It's getting even harder than
ever to keep up with the pace and the scale
of cyber attacks. There are more connected
devices, more apps, and even more endpoints which
means a broader digital estate and more attack vectors for cyber
criminals to exploit. Cyber threats are not only
increasing but they are becoming much more
sophisticated. We are seeing a growing number
of nation-state actors and an increase in sophisticated
cyber gangs. That said, I've learned that for every security issue that
makes headlines, there are countless untold
stories; stories of hardworking teams who
show up every single day to combat cyber
threats. Yet there is also a massive shortage of trained
cybersecurity talent. In fact, the talent gap is
growing with three million cybersecurity jobs
opening in the next two years. So it's critical that we
recruit, that we train, and that we retain more
cybersecurity experts to use modern tools to protect today's
heterogeneous environments. It's also important that we
attract diverse talent because our teams need to be as diverse as the problems we are trying to
solve. Studies in fact show us that
diverse teams make better decisions about 87
percent of the time, and yet today, women make up about 10 percent of the
cybersecurity industry. Now Microsoft has launched several initiatives to address
diversity in our industry. Through our partnership with the
Security Advisor Alliance, we have created a full-day
Capture the Flag event that is designed for students in
7th through 12th grades. With these events, our goal is
to reach two million students in
economically disadvantaged
areas. We're also planning to create
20,000 internships and increasing the number of women
and minorities in security
roles. In addition, to date, we've seen more than 4,000
registrations for our Microsoft-certified program
for cybersecurity. We've also partnered with
BlackHoodie to deliver a reverse engineering workshop
for women at our annual BlueHat
Conference, and we've even extended our
efforts to Africa with training for women
in Nairobi as part of the She Hacks
Africa boot camps. We want to encouge you to
create diversity initiatives within
your own organizations. We also recognize that many of
you work extremely hard and you may feel out
numbered by bad actors, so it's incredibly important
that you take care of your own health and your own
well-being. In today's episode, we're going
to discuss five best practices to
strengthen your security posture on Azure
and safeguard your businesses in
this rapidly evolving landscape. We also have launched the set of
companion videos for those of you who want to dive deeper
into specific topics. If you have any questions, please use the chat window. We have Microsoft security
experts online to answer your questions throughout this
session and up to about an hour
afterwards. So why is Microsoft doing this
series? Because helping our customers
with cybersecurity is a top priority
for us. We invest over a billion dollars
a year and have hired more than 3,500 security professionals so
we can deliver the best, most trusted security solutions
and services. Even some of our largest
customers in the world who significantly invest resources
in cybersecurity, don't come close to matching
this level of resourcing or financial
investment. The investments we make are
designed to help teams like yours scale your
ability to defend against bad actors and
so you can focus on what's truly
important. We take a robust holistic
approach to offering you security across
your operations, across our best-in-class
technology, and with our strategic global
partnerships. When it comes to operations, we have some of the world's best
physical security and global Cloud infrastructure with over 100 data centers across the
planet. Our operational controls include perimeter security, roaming
patrols, background checks, video
surveillance, verified single-person entry,
and much more. We even inspect the BIOS and
firmware from our vendors for security issues
and we do this on a regular
basis. We bring the power of all of our threat intelligence
collected from Office 365, Azure, and Xbox to protect your
workloads. Our Cloud infrastructure also as built-in protections from denial
of service and we constantly monitor and mitigate threats through our cyberdefense
operation center. When access is required to Azure
infrastructure, we use just-in-time and
just-enough access principles. We also lead the industry in
offering payments, things known as bug bounties, to secure the researchers who
reside outside of Microsoft so they can
find vulnerabilities and notify the
Microsoft Security Response
Center. We believe strong operational
practices create the foundation for customer
trust and customer success. Our security technologies, built
on Microsoft Azure, are designed to combat the most
complex and the most insidious cyber
threats out there. We take a shared responsibility
model that gives our customers the
ownership and control you want whilst empowering you with built-in security controls to
keep your assets secure. We will discuss these
technologies in much more depth
later. But finally, our security
strategy is bolstered with the power of partnerships. With ever evolving security
threats and industry needs, we know Microsoft solutions are
at their best when we tap our global
community of partners. A great example of this
partnership is the Microsoft Intelligent
Security Association which brings
together some of the world's most
innovative security companies and gives our customers the choice and expertise they
are looking for. Later in this episode, we'll hear from one of those
partners, Check Point. Next up, we are going to dig
into the five Cloud security best
practices to help to keep your
organization secure. But first take a look at this. [MUSIC] >> So now, let's talk about the five Cloud security best
practices. To help us do this, we have Hayden Hainsworth, who leads our Azure Security
Customer Experience team. Hayden and her team work every
day with our top customers, so they know which best
practices are the most
effective. Hayden, thank you so much for
joining us today. >> Thanks, and I'm delighted to
be here. >> So Hayden, as our customers
consider Cloud security, what do you actually offer as
best practices? >> Well, Cloud security is a fundamental new landscape to
begin with, and while many of the security
principles remain the same as on-premises, the implementation is often very
different. So it's important that you
assume breach as a mindset and understand that the
perimeter has changed
significantly. So given that, a new paradigm is
needed, and how you think about access
controls and network security fundamentally
needs to change. While there has been a lot of
heavy lifting that has been done by the Cloud provider,
in this case, us on your behalf, you still have a role to play
it, and we call that a shared
responsibility. So it means, the way you work
needs to change. So let's go ahead and dive in
and explore some of the best practices in some key
areas. We'll talk about identity and
access control, security posture management,
apps and data security, threat protection, and my
favorite, network security. It's a mouthful and there's a
lot to learn. >> Yeah, you're right. There is
a lot to learn. So let's break it down into
simpler concepts for our
customers. Let's start with identity and
access control. >> Now our first best practice
is to strengthen access control. Think of it as your front door,
because frankly, while a firewall was necessary
t Why? Due to the proliferation of the Cloud mobile devices and the
Internet of things. It's very difficult given the proliferation of devices
really to operate in this mindset that everything
is contained neatly behind your
classic firewall, and so we need to operate in a
zero-trust model. Now what do I mean by that? It means trust no one or
anything, so a machine, a human, a resource, or a thing. Identity becomes the new
perimeter. So you need to verify the identity of everything and
anything that's trying to authenticate or
connect to your systems before granting
access. >> So given all of that and
given the concept of identity as the new perimeter
and zero trust networking, what is a really good first
step? >> The very first step, Ann, is to turn on Multi-Factor
Authentication or MFA. This significantly will reduce
your chance of identity
spoofing. Three years ago, Microsoft was
on a gradual roll-out of MFA across
our company. Yet, another Fortune 100 company
was compromised. It was significant, it hit the
press, it was a really big deal. It was a wake-up call, quite
frankly, and so we rapidly accelerated
our own deployment of MFA. But even today, three years
later, it's really disappointing that not every enterprise costumer
has MFA turned on, and so in 2019, it really is a must-do. >> Yeah, MFA obviously is a
must, I mean, we're on a mission to move our customers away from
passwords, right? Because people tend to use weak
passwords. They will use their dog name, or they'll reuse the same
password in every website. >> Yes, they do, Ann. It's
critical that we move away from passwords to
password-less. But also one of the
recommendations I have is to remind people not to put their
passwords in places like
OneNote, or OneDrive, or SharePoint, or Box, or Dropbox. It's very easy for an adversary,
unfortunately, to get a foothold and then to
discover those passwords and use those to authenticate against another
machine, laterally move across the
network, escalate privileges, and achieve
domain dominance. So our recommendation is to move
beyond passwords altogether and take advantage of
the power of biometrics, so fingerprints, facial
recognition. It's so much simpler, it increases the users'
productivity, and it enhances their security
significantly. >> So now that we've talked
about passwords, we've talked about eliminating
them using MFA, using Windows Hello for
Business, or other biometric controls. How do we think about users and
access control? >> So we recommend taking
advantage of what we call conditional access. Now, conditional access is going
to give users access to only the resources that they
need while inspecting for potential
sign and risks, such as logging in from a
suspicious or unknown location, or potentially whether that
device is missing multi-factor
authentication. Now, a best practice
additionally is to give least privilege access or the lowest amount of access to the lowest number of necessary
users, and we call this least
privilege. It was really, really hard to do
on-premises, but in Azure, it just makes it
so much easier to set up. Finally, we have a concept
called JIT access, just-in-time access, using Azure Privileged Identity
Management or PIM. Now with PIM, you can require
approval prior to granting
access, and more importantly, you can
audit the access history. Now finally, I recommend using
Azure's RBAC or role-based access control at
their actual resource level. These will then enable you to
assign one of Azure's many built-in roles or
create your own custom role for a
specific set of resources. >> So what I'm hearing is
identity is critical, obviously, access control is
important, and our customers are always
asking for simplified security controls in
the Cloud that are more
automated, and it sounds like Azure's
bringing those controls to them. >> Exactly. Now that's why we
recommend that we assume breach and that you create a
zero-trust model, implement MFA, and assign that
appropriate access control. >> Thanks, Hayden. There's a lot
of things for our customers to
consider there. But talk to me about the one
question I get from almost every
customer. How do we protect access to the customer's data within the
Azure tenant? >> So that's a very good
question, Ann, and we get this all the
time as well. It's super important to
understand that we respect customer's privacy, we take this accountability very
seriously. It's important to understand
that your data is your data, our engineers have no access to
your data. Even if something bad happens to
your environment, we don't have access to your
data. Now, of course, there are cases
where you may choose to ask us to help
you, and in that case, we've
engineered a solution that we call Customer
Lockbox. It's generally available, and it
allows our support engineers to get
access you granted, of course, so that we can help isolate and troubleshoot that particular
machine for you, and it also provides a complete
audit history as well. >> So it's exciting to note that Lockbox is generally available
today. >> Yes. >> We get to announce something, not just talk. Anyway. >>This further demonstrates our
commitment to customer privacy, our commitment to customer
security, and making sure that our
customers have this simplified tools that you need
for Azure Security. So now let's talk about
something different. Let's
shift. Let's talk about how customers can increase their security
posture. I mean you can't do posture
management well without getting visibility into your assets, into your
environment. So can you talk a little bit
about how Azure handles inventory and access to
that inventory. >> Absolutely. So with Azure, asset inventory is really quite
simple. Now you go to the portal, and you'll see a list of all of
your resources. It's a really big improvement
from asset management
on-premises, which quite frankly was manual, cumbersome, and an error-prone
process. >> Then how do you improve the
security based on having the visibility to those
assets in Azure? >> So the first thing first is
to turn on Azure Security
Center, and check out your Secure Score
rating. The Secure Score is this intuitive concept with a very clean UI with the
numerical value, and that Secure Score is going
to give you a number that shows you, at a glance, how secure you are, and what your security posture
management is in Azure. It will also then provides you
with the list of the top
recommendations to go remediate with the highest
level of impact first, so that you can greatly increase
your Secure Score. >> Do you find that sometimes
customers aren't actually
turning on Secure Score Azure Security
Center for all of their times? They only turn on maybe when
security is involved. >> Yes, and it's a problem. So the first action is that they actually do need to
turn on Azure Security Center. So you need to enable it, it's not on by default. Secondarily, what we find is
that oftentimes, a particular subscription owner
will be aware to turn on Azure Security
Center, and in other cases, they may be
unaware. So it's really super important
that for every subscription in an
environment that they enable Azure Security
Center. >> Okay. What roles typically
are going to use Azure Security
Center within a customer? >> For the most part, I think of
it as a Seesaw potentially or the security admin would use
Azure Security Center, and sometimes SecOps will use
Security Center. Now, we do have dashboard
recommendations for all of your resources, I forgot to mention that, an that extends beyond just
your virtual machines, to
networking, storage, SQL, your app services, and of course, IoT now as well. >> So speaking of virtual
machines, right? Big concern for everyone. What is one of the most common
attack vectors we see? >> Yeah. One of the most common
attack vectors is open Internet, exposed
endpoints. So adversaries are going to
brute force passwords over SSH and
RDP. Now, it's critical important
vector to lock down, and we understand that teams need to be able to manage
their environments. So there is a time when they
need to open an RDP port. But leverage the power of Cloud
and automation to harden that environment and use JIT VM access to close those
Internet ports. With JIT VM access, you can open IPs for a specific
duration and for specific ports, and so it greatly will decrease that attack vector by having
open Internet exposed endpoints. >> Excellent. So that's kind of how we protect our virtual
machines or at least one way to protect our virtual machine from
brute-force hacking. What are other ways we could
protect resources like IoT, which all customers are
concerned about today? >> Rightly so, right? That is a huge vector that's
quite difficult to contain. Getting that right is really
important, and we know that the world is
shifting, and so we've got smart light
bulbs, and we've got smart cars, and smart cities now. There was a story about a casino
that has state of the art security that unfortunately was
compromised due to a thermometer that was
sitting in that fish tank. >> Rogue fish. >> I know. It was connected to
the Internet. So Azure Security Center can
assess your security posture and look
for those IoT devices, so that you can ensure they're
running the latest patches or take the compromise devices
offline. Now one of the challenges with
IoT is that not every device actually meets
today's security needs. Some of them, quite frankly,
aren't patchable. So we have a solution for that, that we've introduced called
Azure Sphere. Now it's a modern secure
micro-controller with a secure operating system that
connects to Azure, and then it represents a
generational leap forward in IoT security. It's
phenomenal. >> So we see a lot of interest
in IoT, a fundamental belief the Cloud
is the only way to implement and
scale that type of security to protect the proliferation of IoT devices
we've seen. To summarize where we are right
now, because we're covering a lot of
content, Azure Security Center is the most mature Security Center
of any public Cloud. If you're a security admin, if you're a subscription owner, you'd actually need to
understand your Secure Score and how to
improve it, and you need to turn on, as Hayden said, Azure Security
Center. One of the challenges that we
find our security admins face every day is they're fighting fires,
right? They're not doing anything
proactive to secure their
environments. They're being reactive, they're
responding to a lot of noise and a lot of
signal. So talked to me a little bit
about how security admins can spend more time being
proactive and less time fighting
fires. >> It's true, absolutely. So one area that will help you
get out of reactive or a firefighter
mode is if you can collaborate with
your DevOps teams up front on key security
policies. So that way, you can apply the
policies at the beginning of the engineering cycle as secure
DevOps rather than DevSecOps, and it's something that we call
shift left. Now implementing shift left is quite difficult and challenging
on-prem, because you don't have a
consistent management plane. But in Azure, we have ARM which
is a game changer. >> What exactly is ARM? >> Thank you. Sometimes I
overuse acronyms. So ARM stands for the Azure
Resource Manager, and it's a consistent management
plane for Azure, and every resource in Azure can
have a policy applied to it. >> Can you give me an example
what of type of policies that you'd apply via
ARM? >> Absolutely. So an example
policy would be ensuring that there are no public facing IP addresses or
Internet exposed endpoints, ensuring that Azure Security
Center is enabled or that your discs are
encrypted. There's literally thousands of policies that you can configure
in Azure. We've seen our customers like
British Petroleum create groups of security policies for
different users. In BP's case, they have three
classes of users, and these classes have three
different groups of security policies based on only
what that business group needs. So the security team will work
with the DevOps team to adjust
specific policies over time. Once again, you want to give the
appropriate access to the specific role so that they
have just what they need, not too much and not too little. It's like the Goldilocks of
access. >> Speaking of BP, let's hear
directly from them. It's really exciting to hear
what BP is doing with Azure. But when we talk about policies, can customers ensure that the
policies are adhere to before a project is implemented or do they only implement them
afterwards? >> That's a good question. So
what is exciting is that you can check policies
before a project is actually
deployed. So your DevOps teams can embed
run time checks against security policy that you define directly in the release pipeline
itself. So what that means then is that
code is not released until it meets your
requirements, which is a huge win from a
compliance perspective. You can even create
subscriptions in Azure for your DevOps teams where they
have everything that they need
upfront, which includes those important
security policies, the
resources, and the roles that need access
in just a few clicks, and we call this a blueprint. >> Can you define a blueprint
just a little bit more? >> Absolutely. I'm so glad you
asked because blueprints are amazing, and they're relatively new. So the concept is that it can be
really cumbersome for a Cloud architects and very large enterprise customers
to be able to stamp out, if you will, consistent
templates. We have a concept of template, but the blueprint is an uber
level on top of that, that helps ensure
standardization. I think of it like a blueprint
for your house. If you have a blueprint for your
house, any contractor that comes to work on your house can follow
the map, follow the blueprint, to ensure
that they're building your house to code. So in essence, there's a similar
concept here with Azure that any application
developer that wants the dock into the overarching Cloud
architecture for an enterprise customer can
follow that blueprint, and they have what they need in
order to be able to scale out those
services, and do so in an accelerated way. >> That's great heading, because
one of the things our customers consistently tell us is they want simpler Cloud
controls for security, and this sounds like it really
simplifies the replication of different
policies. >> Correct. >> Perfect. So the other thing Azure does is it opens the door
to a new level of governance and strategic
collaboration between those DevOps teams and security
teams. This is obviously important in
today's business environment
where regulatory compliance is
critical and regulations are increasing
every day. So in Azure, can I actually test my policies against certain
controls like ISO or against
PCI? >> Absolutely. Yes, you can. These are table stakes quite
frankly. Regulatory compliance is
critical, it's a must-do, and so we have to operate and provide this capability for
our customers. So you can absolutely select you must adhere to like PCI or
ISO 27001 in the Azure Portal, and then compare it against that
level of compliance against a pre-canned
set of policies. You can also print out a copy, and if needed, share it with
your auditor. >> That's great. The ability to
automatically share it with your auditor will certainly help
a lot of our customers. >> Let's move on to another best
practice, and let's talk about how we
actually secure apps and data. So when it comes to protecting
apps, there are differences in the
shared responsibility models depending on whether you're on
IaaS, or depending on whether you're
on PaaS, or depending on whether you're
on SaaS. So can you talk a little bit
about the shared responsibility and
the differences? >> This is so important to land. So Cloud is a shared
responsibility, and depending on where you are
on that journey, there is a different
responsibility for you as the customer and a different
responsibility for Microsoft. So it's really important that
everybody understands that. For IaaS applications running in
virtual machines, there is more of the burden on
you as the customer to ensure that both that
application and OS is secure. Now, as you move higher up the
stack to Cloud-native PaaS, Microsoft will take more of the security responsibility at
the OS level itself. For SaaS applications, we'll
manage even more of it. >> Excellent. So while I'm writing those PaaS applications
all right, what do I need to consider from
a security perspective? >> So first start by following strong security best practices
like the SDL or Security Development
Lifecycle. We've led the path forward for
many years in the industry in
SDL, not just for our own services, but also in helping our
customers deliver secure code. So it's really important to make
sure that your developers are trained in
SDL, and that you have a clear set of
metrics, and that you're performing
high-quality threat modeling consistently and often. You should also consider using
the Azure Secure DevOps Toolkit, which is a collection of
scripts, tools, and extensions with a
focus, a heavy focus on automation and
integration into native
workflows to help your DevOps teams
accomplish secure DevOps or
shift left. >> So we know that developers
are working at high pace also, a lot of demands on their time. How can we help people avoid security mistakes when they're
actually building applications? >> Good question. Now, when it
comes to building applications, one of the common mistakes that
we see, unfortunately, is developers embedding secrets, like a connection string, directly within code, and then uploading that code to a public
repository like GitHub. >> Wow. >> Yeah. It's not good. So attackers of course are
continuously hunting for
secrets, so it's really important that
you don't store them in a public
repository. We do have a tool called
CredScan, which is constantly monitoring
and scanning those public GitHub repos to identify any repository that may
contain an Azure secret. If it finds an issue, we'll send an e-mail to the GitHub subscription owner
from our CDOC, Microsoft Cyber Defense
Operations Center. Now, we also recently integrated
this tool into Visual Studio, so you can check your own code
for issues while editing. >> So if I'm not going to share
my secrets and keys and my code, what am I going to do with them? >> We have a solution for that. We actually engineered one. It's not just secrets and keys, but certificates as well. We call it Azure Key Vault. So you can store your secrets
and keys in your Key Vault and then request them from your
application at runtime. You can also manage your
certificates and auto-renew them with Key Vault. Now, we learned this the hard
way due to an Azure outage. Certificates expire, they're
cumbersome, complex, and difficult to manage
and maintain. So we engineered a solution
called Key Vault to help store your secrets and your keys
safely and securely and help you manage
your certificates. >> That's fantastic. I started my security career as a PKI
architect. >> I didn't know that. >> So I'm super familiar with
all of the challenges and scalability
issues of certificates. So automatically making sure
they're renewing, hugely
important. In addition though, Hayden, many of our customers in highly regulated industries tell
us that they want direct access to the HSM or
hardware security module. They actually don't want the
management that Key Vault
provide. So how do we accomplish that? >> Well, I'm glad you asked
because it's a good question and it actually demonstrates that we're listening to our
customers, and that we're continuously
improving and continuously
iterating. So we do offer direct access to
HSMs or hardware security modules for
customers who want to use their own code and
manage secrets. >> That's fantastic. So we've
talked about building secure
apps. We've talked about how you
manage your secrets, your certificates, your keys. But how do we actually protect
the customers' data? >> Well, for data, you need to
think about encryption and make sure you
have a plan for the different types
of data that are out there like disks, storage,
and databases. Now in Azure, we encrypt storage and disks using
industry-standard encryption. So you could use
Microsoft-managed keys, and in other cases, you could bring your own key. >> How do we actually provide
security for databases? >> Well, for databases, for SQL, there's transparent data
encryption and the newer SQL, Always Encrypted, which actually
works at the column level itself to ensure that data is
inaccessible even to the database admins
themselves. >> So an awful lot to consider
when you're securing applications from dev
practices to secret and key management to
actually protecting the data and
protecting database. Now, that all being said and
we've talked about identity, we've talked about access
management, we've talked a lot about lot of
things, but let's move on to something
that's incredibly important to
all of our customers every day in
this insumed breach environment. Let's talk about how we mitigate
threats. We all know that defense in depth requires us to assume that
breach. We know that Threat Protection helps us identify malicious
activity, and we need to do this very
quickly, right? Timeout detection is incredibly
important. So what are some common best
practices when it actually comes to
mitigating threats? >> So we already talked about
the importance of threat
prevention. So we're going to shift in our
operational security model to focus on threat detection and
threat response. Azure Security Center has built
in threat detection that supports
many Azure resources, including virtual machines,
databases, storage, and IoT. So you do want to make sure that
you turn it on for all of your resource
types, and not just your VMs. In other Clouds, we've seen
storage as a primary target in numerous
incidents. Now, our protection tools take advantage of Advanced
Threat Analytics. So what that means is, if you assume breach as you said
and we think about detection, you want to be able to detect
when there is an escalation that's happening or lateral
movement from compromised
credentials. We also have six and a half
trillion signals for operating one of the largest
Clouds in the world, and we've connected these altogether with what we call the Microsoft Intelligent Security
Graph. We have an API for that that you
can call, your application developers can call so that they can use the
power of the graph in the application
that they're developing as well. Finally, what I'll say is that security admins and security
operations, or SecAdmins and SecOps, can visualize those threat
alerts from their Azure resources in a
single pane with Azure Security
Center. Now Coca-Cola Business Services
North America tells us that
using ASC is a great value add that really allows them to respond
quickly to threats. >> So Azure Security Center
provides threat protection for
Azure, but what about security incident
and event management or SIEM? Many of our customers have
legacy on-premise SIEMs that have been
great logging devices, but not fantastic analytic
devices. So how do we make SIEMs more
successful in the Cloud? >> So SIEMs have been an
important security tool to help those security analysts
consolidate logs from diverse signals and
identify abnormalities. Existing tools were designed for
on-premise architectures. So what we hear often from
customers is that they're very expensive and difficult to
maintain, and they're also overwhelmed
with the sheer volume of signal and
the low fidelity of those
signals. So there's a lot of noise. We've developed an approach and we call it the
next-generation SIEM. It's introduced as Azure
Sentinel. >> Excellent. So talk to me a little about Microsoft Azure
Sentinel. >> So we designed Azure Sentinel
for first party. Now, I'm using it in an internal
code name here, Ann. So basically our Security
Operation Center needed a completely different
model in order to be able to detect and respond to the sheer volume of signal that
we see in the Cloud. So we needed to engineer a new
solution. Now, we have this concept called
first party equals third party, and basically what that means
is, anytime we need to solve at
Microsoft, what we want to do is engineer a solution so that our customers
can take advantage of it. >> Makes sense. >> So the third party solution
in this case is called Azure
Sentinel. We're delighted to bring it to
market, and it is the next generation SIEM born in the Cloud for the
Cloud. >> It's been known I believe to
reduce fatigue of alerts by about 90 percent as a
Cloud native SIEM, right? >> Correct, correct. >> Excellent. So thank you very
much, Hayden, for that information about Azure
Sentinel. I'd like to invite AJ who's
actually going to demo Microsoft Azure Sentinel
for us. >> Thanks, Ann. I'm excited to
show you Azure Sentinel today. Let's get started. Here is an executive dashboard for Azure
Sentinel. It shows a snapshot of important security events in
your organization and recent
cases. Azure Sentinel can collect data
from all your sources from
on-premises to Azure itself and even other
clouds. You do that with these built-in
connectors. With few clicks, you can collect
data from Azure Active
Directory, or Office 365, and Azure
Security Center. You can also connect to partner
solutions like Check Point, Palo Alto, or Cisco, and many
more. Finally, you can connect to industry-standard formats like
Syslog and common event format. Once you collect data, you can draw contextual insights
with custom dashboards. This example shows you custom
dashboard for Office 365 and all the data-related
insights based on Office 365
workloads. By the way, Office 365 data
ingestion, you can connect your Office 365
data for free in Azure Sentinel. Let's check out the detection
and analytics components now. Azure Sentinel already includes many detection rules for common
attack scenarios, and you can create your own
detection rules and queries. Azure Sentinel is built on the proven foundation of Azure
Monitor and Log Analytics, which currently ingests more
than 10 petabytes of data per
day. Here is a simple threat
detection query showing user signings in the
last week. The machine learning models have identified anomalous pattern for
us already. A query has been automatically
generated, and now I can analyze users
sign-in behavior more in detail. As you create proactive hunting
queries, you can also integrate popularly
used tools like Jupyter
Notebooks to visualize and enrich your
hunting experience as you see
here. Ultimately, we want to understand and mitigate the
threats quickly, which you do using cases in
Azure Sentinel. >> We use AI to fuse together multiple low-fidelity signals
into actionable alerts. Here you can see actionable
alerts against detected threads. You can also manage the full
life cycle of an event and its associated
alerts. Let's drill into the Anomalous
Login alert, This interactive graph makes it easier to understand and map
the entire attack. You can see a compromised user
account has already accessed multiple servers and it has also run suspicious script
on those servers. The next step is to mitigate
this threat. You can automate and orchestrate
your response using playbooks. Now this particular playbook
blocks the compromised user account using
Azure Active Directory. First it creates a service
ticket using the integration with
service now and also blocks suspicious
IP address on the firewall. There is a thriving community of security experts sharing best
practices, queries, and dashboards on our
Azure Sentinel GitHub. You can get started today with
Azure Sentinel. It's right there in your Azure
portal. Thank you and back to you, Ann. >> Thank you AJ. I really
appreciate you showing the investigation experience
that Jupyter Notebooks and the
playbooks. I also have to say the response
to Azure Sentinel has been fantastic since we announced at
the RSA conference in March, more than 8,000 customers have
already begun using it. But let's wrap up our
conversation with Hayden and cover our final best-practice,
Managing Networking. We're in a time of etwork so what best practices can your share for network security in
the Cloud? >> You right. We've come a long
way since the '90s when the Internet was
born and we started from the land movement
to the wind and yet we're here again with another
transformation with the Cloud. So with the Cloud and a
proliferation of devices in IoT the entire network landscape has changed and a new paradigm
is needed. Once again, I strongly advise
that you embrace a zero trust approach and that
means trust no one, trust nothing, embrace location, and remember that identity plays a much larger role in this new software defined
networking environment. >> So we know identity is very
important. We know we're in a zero trust
world. Sometimes a customer will ask
me, should I just turn off my
firewall then? >> Absolutely not. No. Zero trust doesn't mean that you should turn off
your firewall. It's quite the opposite. In fact we have an Azure
firewall and we have a Web Application Firewall and
we recommend that you use both. You need to remember that
operational security posture which is protect, detect, and
respond. So appropriate controls need to be in place to protect the
perimeter, detect adversarial activity, and then help you build that respond
muscle as well. So setting up your firewall is
very important. If you only protect with a firewall and then create a
flat network, a flat network will make it much easier for attackers to move
laterally. So don't do that. You want a micro-segmented
network instead. Now, in Azure, we've created a
micro segmented network with NSG's or Network Security
Groups. In fact, NSG's are one of the top recommendations right
behind MFA for Azure Security Center. So get familiar with concepts
like virtual networking, subnet provisioning, and IP
addressing. >> Thank you Hayden, and of
course Azure does have built-in networking
services. But we also give our customers
flexibility. They have choice. You can find offerings from F5, Barracuda, Cisco, and Check
Point in the Azure marketplace. With that I'd like to invite Ron
Nahmias from Check Point to share more about the collaboration between Check
Point in Azure. Thank you for joining us Ron. >> It's great to be here. For
the last 25-years, Check Point has been securing
customers On-premise and recently in the Cloud with their
security needs. Our collaboration with Microsoft
and the move to Cloud has also shifted
us to focus on cybersecurity, with Cloud expertise mostly. >> So we're really excited to
have you here because obviously our customers, like we have a 100,000 mutual
customers, they're migrating to the Cloud, they want to maintain their
security posture, their compliance or governance
and we're partnering with Check Point to
make that seamless and simple for
them. So tell us more about how Check
Point is actually helping those customers
secure their Azure networks. >> [inaudible] , most of our
customers are focusing on taking the existing security posture
from the On-premise environment into
the Cloud. That makes the whole transition
much easier for the security team to support,
understand, and maintain. We are looking at capabilities
that are very unique to check when our
customers have gotten used to such as east, west, and north, and south. Traffic would deep-packet
inspection and threat prevention and so
forth. In addition our acquisition of
Dome9 late last year gave us the
ability to offer our customers automation of understanding of their
configuration, their roles, and how everything correlates within a Cloud
environment that is significantly different than
what they're used to in the On-premise
environment. >> That can also help customers
in emerging things like Azure, Kubernetes Services or
server-less environments? >> Yeah, the emerging services
actually creates a new challenge for customers
where they come to look at Kubernetes which is something
they didn't know, containers in Azure functions, all new compute workloads that
customers are looking to us to help them secure as they
are adopting into transition to the
Cloud. >> Excellent. Well, yeah it's a
valuable partnership. We're obviously helping our
customers make the transition to Cloud much
easier. >> That's right. The security
personnel that we work with are being challenged with a whole
new task or list of tasks that they are not
used too and their ability to
take the known trust at Check Point
environment and extend it to the Cloud seamlessly while maintaining the exact same
security posture On-premise and in the Cloud in this hybrid environment makes it
very easy for them to adopt. >> So earlier AJ did a demo of
Microsoft Azure Sentinel, can you talk a little bit about
how Check Point integrates with
Azure Sentinel? >> So we were launch partners
for Sentinel and we built a connector that allows
Check Point and Sentinel to exchange data
and our customers who are looking at
Sentinel can consume input from Check Point
as well as the rest of the sources and get a bigger
better picture. >> So what are your plans?
What's coming up from Check Point for our Azure
customers? >> The first thing we hear from
our customers is the need to simplify. So we're building tools that
will allow customers to assess the security posture in the
Cloud and deploy security tools and policies
automatically. This is going to be wizard based
and it makes it really simple. This is one of the things that
were here security people very concerned
about. The second thing we're doing
again very closely with Azure is working on SDY and technologies and security and being able to provide branch
offices, network security as a service and other new features that are
not yet announced together to our joint
customers who are looking forward to
adopting those. >> Ron, thank you so much for
being here. Obviously, the partnership is critical to the security of our
customers. As I mentioned 100,000 mutual
customers, a lot of them moving to the
Cloud, we want to make it simple, we want to make it seamless for customers to protect their
security, their compliance or governance
with joint Azure and Check Points
solutions. >> Thank you Ann for having us. It's a great opportunity to be
talking about the things we do together and
we're looking forward to expanding the
relationship and doing more for our customers and continuing to
work with you, your team, and all our friends
here at Microsoft including you
Hayden. >> Thank you Ron. >> Thank you again Ron. Hayden,
thank you so much. It's been a great session. I
really appreciate you joining us today. >> It's delightful being here.
Thanks Ann. >> I want to thank all of you.
It's been a long session. I really appreciate you joining
us today. I know we've covered a lot of
material but candidly, we've actually only scratched
the surface. So I would ask you to check out our new on-demand content covering deeper information on
Azure Sentinel, Azure Security Center, and more coming up on our Microsoft Azure
YouTube channel. We also want you to go to our
Azure Security expert series
page to learn more and connect with our tech community and of course
we want your feedback. There is Azure Security Team, Ask Us Anything Twitter sessions
scheduled for Monday June 24th, at 10 AM Pacific Standard Time. In closing, I want to give a
shout out to all of you who work hard every
single day to protect every person and every organization on our planet
so they can achieve more. Thank you so much for tuning in. [MUSIC]
